Pau Espin Pedrol | 0696c60 | 2021-03-16 14:25:37 +0100 | [diff] [blame] | 1 | # This is a sample configuration file for freeDiameter daemon. |
| 2 | |
| 3 | # Most of the options can be omitted, as they default to reasonable values. |
| 4 | # Only TLS-related options must be configured properly in usual setups. |
| 5 | |
| 6 | # It is possible to use "include" keyword to import additional files |
| 7 | # e.g.: include "/etc/freeDiameter.d/*.conf" |
| 8 | # This is exactly equivalent as copy & paste the content of the included file(s) |
| 9 | # where the "include" keyword is found. |
| 10 | |
| 11 | |
| 12 | ############################################################## |
| 13 | ## Peer identity and realm |
| 14 | |
| 15 | # The Diameter Identity of this daemon. |
| 16 | # This must be a valid FQDN that resolves to the local host. |
| 17 | # Default: hostname's FQDN |
| 18 | #Identity = "aaa.koganei.freediameter.net"; |
| 19 | Identity = "${diameter.identity}.localdomain"; |
| 20 | |
| 21 | # The Diameter Realm of this daemon. |
| 22 | # Default: the domain part of Identity (after the first dot). |
| 23 | #Realm = "koganei.freediameter.net"; |
| 24 | Realm = "localdomain"; |
| 25 | |
| 26 | ############################################################## |
| 27 | ## Transport protocol configuration |
| 28 | |
| 29 | # The port this peer is listening on for incoming connections (TCP and SCTP). |
| 30 | # Default: 3868. Use 0 to disable. |
| 31 | Port = ${diameter.listen_port}; |
| 32 | |
| 33 | # The port this peer is listening on for incoming TLS-protected connections (TCP and SCTP). |
| 34 | # See TLS_old_method for more information about TLS flavours. |
| 35 | # Note: we use TLS/SCTP instead of DTLS/SCTP at the moment. This will change in future version of freeDiameter. |
| 36 | # Default: 5868. Use 0 to disable. |
| 37 | SecPort = 0; |
| 38 | |
| 39 | # Use RFC3588 method for TLS protection, where TLS is negociated after CER/CEA exchange is completed |
| 40 | # on the unsecure connection. The alternative is RFC6733 mechanism, where TLS protects also the |
| 41 | # CER/CEA exchange on a dedicated secure port. |
| 42 | # This parameter only affects outgoing connections. |
| 43 | # The setting can be also defined per-peer (see Peers configuration section). |
| 44 | # Default: use RFC6733 method with separate port for TLS. |
| 45 | #TLS_old_method; |
| 46 | |
| 47 | # Disable use of TCP protocol (only listen and connect over SCTP) |
| 48 | # Default : TCP enabled |
| 49 | #No_TCP; |
| 50 | |
| 51 | # Disable use of SCTP protocol (only listen and connect over TCP) |
| 52 | # Default : SCTP enabled |
| 53 | #No_SCTP; |
| 54 | # This option is ignored if freeDiameter is compiled with DISABLE_SCTP option. |
| 55 | |
| 56 | # Prefer TCP instead of SCTP for establishing new connections. |
| 57 | # This setting may be overwritten per peer in peer configuration blocs. |
| 58 | # Default : SCTP is attempted first. |
| 59 | #Prefer_TCP; |
| 60 | |
| 61 | # Default number of streams per SCTP associations. |
| 62 | # This setting may be overwritten per peer basis. |
| 63 | # Default : 30 streams |
| 64 | #SCTP_streams = 30; |
| 65 | |
| 66 | ############################################################## |
| 67 | ## Endpoint configuration |
| 68 | |
| 69 | # Disable use of IP addresses (only IPv6) |
| 70 | # Default : IP enabled |
| 71 | #No_IP; |
| 72 | |
| 73 | # Disable use of IPv6 addresses (only IP) |
| 74 | # Default : IPv6 enabled |
| 75 | #No_IPv6; |
| 76 | |
| 77 | # Specify local addresses the server must bind to |
| 78 | # Default : listen on all addresses available. |
| 79 | #ListenOn = "202.249.37.5"; |
| 80 | #ListenOn = "2001:200:903:2::202:1"; |
| 81 | #ListenOn = "fe80::21c:5ff:fe98:7d62%eth0"; |
| 82 | ListenOn = "${diameter.listen_address}"; |
| 83 | |
| 84 | |
| 85 | ############################################################## |
| 86 | ## Server configuration |
| 87 | |
| 88 | # How many Diameter peers are allowed to be connecting at the same time ? |
| 89 | # This parameter limits the number of incoming connections from the time |
| 90 | # the connection is accepted until the first CER is received. |
| 91 | # Default: 5 unidentified clients in paralel. |
| 92 | #ThreadsPerServer = 5; |
| 93 | |
| 94 | ############################################################## |
| 95 | ## TLS Configuration |
| 96 | |
| 97 | # TLS is managed by the GNUTLS library in the freeDiameter daemon. |
| 98 | # You may find more information about parameters and special behaviors |
| 99 | # in the relevant documentation. |
| 100 | # http://www.gnu.org/software/gnutls/manual/ |
| 101 | |
| 102 | # Credentials of the local peer |
| 103 | # The X509 certificate and private key file to use for the local peer. |
| 104 | # The files must contain PKCS-1 encoded RSA key, in PEM format. |
| 105 | # (These parameters are passed to gnutls_certificate_set_x509_key_file function) |
| 106 | # Default : NO DEFAULT |
| 107 | #TLS_Cred = "<x509 certif file.PEM>" , "<x509 private key file.PEM>"; |
| 108 | #TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key"; |
| 109 | TLS_Cred = "${diameter.inst_prefix}/etc/freeDiameter/${diameter.identity}.cert.pem", "${diameter.inst_prefix}/etc/freeDiameter/${diameter.identity}.key.pem"; |
| 110 | |
| 111 | # Certificate authority / trust anchors |
| 112 | # The file containing the list of trusted Certificate Authorities (PEM list) |
| 113 | # (This parameter is passed to gnutls_certificate_set_x509_trust_file function) |
| 114 | # The directive can appear several times to specify several files. |
| 115 | # Default : GNUTLS default behavior |
| 116 | #TLS_CA = "<file.PEM>"; |
| 117 | TLS_CA = "${diameter.inst_prefix}/etc/freeDiameter/cacert.pem"; |
| 118 | |
| 119 | # Certificate Revocation List file |
| 120 | # The information about revoked certificates. |
| 121 | # The file contains a list of trusted CRLs in PEM format. They should have been verified before. |
| 122 | # (This parameter is passed to gnutls_certificate_set_x509_crl_file function) |
| 123 | # Note: openssl CRL format might have interoperability issue with GNUTLS format. |
| 124 | # Default : GNUTLS default behavior |
| 125 | #TLS_CRL = "<file.PEM>"; |
| 126 | |
| 127 | # GNU TLS Priority string |
| 128 | # This string allows to configure the behavior of GNUTLS key exchanges |
| 129 | # algorithms. See gnutls_priority_init function documentation for information. |
| 130 | # You should also refer to the Diameter required TLS support here: |
| 131 | # http://tools.ietf.org/html/rfc6733#section-13.1 |
| 132 | # Default : "NORMAL" |
| 133 | # Example: TLS_Prio = "NONE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"; |
| 134 | #TLS_Prio = "NORMAL"; |
| 135 | |
| 136 | # Diffie-Hellman parameters size |
| 137 | # Set the number of bits for generated DH parameters |
| 138 | # Valid value should be 768, 1024, 2048, 3072 or 4096. |
| 139 | # (This parameter is passed to gnutls_dh_params_generate2 function, |
| 140 | # it usually should match RSA key size) |
| 141 | # Default : 1024 |
| 142 | #TLS_DH_Bits = 1024; |
| 143 | |
| 144 | # Alternatively, you can specify a file to load the PKCS#3 encoded |
| 145 | # DH parameters directly from. This accelerates the daemon start |
| 146 | # but is slightly less secure. If this file is provided, the |
| 147 | # TLS_DH_Bits parameters has no effect. |
| 148 | # Default : no default. |
| 149 | #TLS_DH_File = "<file.PEM>"; |
| 150 | |
| 151 | |
| 152 | ############################################################## |
| 153 | ## Timers configuration |
| 154 | |
| 155 | # The Tc timer of this peer. |
| 156 | # It is the delay before a new attempt is made to reconnect a disconnected peer. |
| 157 | # The value is expressed in seconds. The recommended value is 30 seconds. |
| 158 | # Default: 30 |
| 159 | #TcTimer = 30; |
| 160 | |
| 161 | # The Tw timer of this peer. |
| 162 | # It is the delay before a watchdog message is sent, as described in RFC 3539. |
| 163 | # The value is expressed in seconds. The default value is 30 seconds. Value must |
| 164 | # be greater or equal to 6 seconds. See details in the RFC. |
| 165 | # Default: 30 |
| 166 | #TwTimer = 30; |
| 167 | |
| 168 | ############################################################## |
| 169 | ## Applications configuration |
| 170 | |
| 171 | # Disable the relaying of Diameter messages? |
| 172 | # For messages not handled locally, the default behavior is to forward the |
| 173 | # message to another peer if any is available, according to the routing |
| 174 | # algorithms. In addition the "0xffffff" application is advertised in CER/CEA |
| 175 | # exchanges. |
| 176 | # Default: Relaying is enabled. |
| 177 | #NoRelay; |
| 178 | |
| 179 | # Number of server threads that can handle incoming messages at the same time. |
| 180 | # Default: 4 |
| 181 | #AppServThreads = 4; |
| 182 | |
| 183 | # Other applications are configured by loaded extensions. |
| 184 | |
| 185 | ############################################################## |
| 186 | ## Extensions configuration |
| 187 | |
| 188 | # The freeDiameter framework merely provides support for |
| 189 | # Diameter Base Protocol. The specific application behaviors, |
| 190 | # as well as advanced functions, are provided |
| 191 | # by loadable extensions (plug-ins). |
| 192 | # These extensions may in addition receive the name of a |
| 193 | # configuration file, the format of which is extension-specific. |
| 194 | # |
| 195 | # Format: |
| 196 | #LoadExtension = "/path/to/extension" [ : "/optional/configuration/file" ] ; |
| 197 | # |
| 198 | # Examples: |
| 199 | #LoadExtension = "extensions/sample.fdx"; |
| 200 | #LoadExtension = "extensions/sample.fdx":"conf/sample.conf"; |
| 201 | |
| 202 | # Extensions are named as follow: |
| 203 | # dict_* for extensions that add content to the dictionary definitions. |
| 204 | # dbg_* for extensions useful only to retrieve more information on the framework execution. |
| 205 | # acl_* : Access control list, to control which peers are allowed to connect. |
| 206 | # rt_* : routing extensions that impact how messages are forwarded to other peers. |
| 207 | # app_* : applications, these extensions usually register callbacks to handle specific messages. |
| 208 | # test_* : dummy extensions that are useful only in testing environments. |
| 209 | |
| 210 | |
| 211 | # The dbg_msg_dump.fdx extension allows you to tweak the way freeDiameter displays some |
| 212 | # information about some events. This extension does not actually use a configuration file |
| 213 | # but receives directly a parameter in the string passed to the extension. Here are some examples: |
| 214 | ## LoadExtension = "dbg_msg_dumps.fdx" : "0x1111"; # Removes all default hooks, very quiet even in case of errors. |
| 215 | ## LoadExtension = "dbg_msg_dumps.fdx" : "0x2222"; # Display all events with few details. |
| 216 | ## LoadExtension = "dbg_msg_dumps.fdx" : "0x0080"; # Dump complete information about sent and received messages. |
| 217 | # The four digits respectively control: connections, routing decisions, sent/received messages, errors. |
| 218 | # The values for each digit are: |
| 219 | # 0 - default - keep the default behavior |
| 220 | # 1 - quiet - remove any specific log |
| 221 | # 2 - compact - display only a summary of the information |
| 222 | # 4 - full - display the complete information on a single long line |
| 223 | # 8 - tree - display the complete information in an easier to read format spanning several lines. |
| 224 | |
| 225 | LoadExtension = "${diameter.inst_prefix}/lib/freeDiameter/dbg_msg_dumps.fdx" : "0x8888"; |
| 226 | LoadExtension = "${diameter.inst_prefix}/lib/freeDiameter/dict_rfc5777.fdx"; |
| 227 | LoadExtension = "${diameter.inst_prefix}/lib/freeDiameter/dict_mip6i.fdx"; |
| 228 | LoadExtension = "${diameter.inst_prefix}/lib/freeDiameter/dict_nasreq.fdx"; |
| 229 | LoadExtension = "${diameter.inst_prefix}/lib/freeDiameter/dict_nas_mipv6.fdx"; |
| 230 | LoadExtension = "${diameter.inst_prefix}/lib/freeDiameter/dict_dcca.fdx"; |
| 231 | LoadExtension = "${diameter.inst_prefix}/lib/freeDiameter/dict_dcca_3gpp.fdx"; |
| 232 | |
| 233 | |
| 234 | ############################################################## |
| 235 | ## Peers configuration |
| 236 | |
| 237 | # The local server listens for incoming connections. By default, |
| 238 | # all unknown connecting peers are rejected. Extensions can override this behavior (e.g., acl_wl). |
| 239 | # |
| 240 | # In addition to incoming connections, the local peer can |
| 241 | # be configured to establish and maintain connections to some |
| 242 | # Diameter nodes and allow connections from these nodes. |
| 243 | # This is achieved with the ConnectPeer directive described below. |
| 244 | # |
| 245 | # Note that the configured Diameter Identity MUST match |
| 246 | # the information received inside CEA, or the connection will be aborted. |
| 247 | # |
| 248 | # Format: |
| 249 | #ConnectPeer = "diameterid" [ { parameter1; parameter2; ...} ] ; |
| 250 | # Parameters that can be specified in the peer's parameter list: |
| 251 | # No_TCP; No_SCTP; No_IP; No_IPv6; Prefer_TCP; TLS_old_method; |
| 252 | # No_TLS; # assume transparent security instead of TLS. DTLS is not supported yet (will change in future versions). |
| 253 | # Port = 5868; # The port to connect to |
| 254 | # TcTimer = 30; |
| 255 | # TwTimer = 30; |
| 256 | # ConnectTo = "202.249.37.5"; |
| 257 | # ConnectTo = "2001:200:903:2::202:1"; |
| 258 | # TLS_Prio = "NORMAL"; |
| 259 | # Realm = "realm.net"; # Reject the peer if it does not advertise this realm. |
| 260 | # Examples: |
| 261 | #ConnectPeer = "aaa.wide.ad.jp"; |
| 262 | #ConnectPeer = "old.diameter.serv" { TcTimer = 60; TLS_old_method; No_SCTP; Port=3868; } ; |
| 263 | ConnectPeer = "${diameter.connect_name}.localdomain" { ConnectTo = "${diameter.connect_address}"; Port = ${diameter.connect_port}; No_TLS; }; |
| 264 | |
| 265 | |
| 266 | ############################################################## |